Manuals / HP / Computer Equipment / Software

HP UX 11i Role-based Access Control (RBAC) Software manual Configuring Authorizations

Models: UX 11i Role-based Access Control (RBAC) Software

1 84
Download 84 pages 13.76 Kb
Page 37
Image 37

NOTE: The default configuration files delivered with HP-UX RBAC contain a single

preconfigured role: Administrator. By default, the Administrator role is assigned all HP-UX system authorizations (hpux.*, *) and is associated with the root user.

After defining valid roles, you can assign them to one or more users or UNIX groups. Attempting to assign a role that has not been created to users will display an error message indicating that the role does not exist.

Assigning Roles to Users

Separating role creation from role assignment offers the following advantages:

Requiring that roles be created before they are assigned ensures that any typographical errors are caught when specifying role names during role assignment.

Allows different users to perform each task. For example, the same user is not required to both create the roles and assign the roles.

After creating valid roles, use the roleadm command to assign them to the appropriate users, as shown in the following examples:

#roleadm assign luman Administrator roleadm assign done in /etc/rbac/user_role

#roleadm assign rwang UserOperator roleadm assign done in /etc/rbac/user_role

After using the roleadm assign command to assign roles to users, you can use the roleadm list command to verify that the roles were assigned correctly, for example:

#roleadm list root: Administrator luman: Administrator rwang: UserOperator

NOTE: HP-UX RBAC offers the ability to add a special user named DEFAULT to the /etc/rbac/user_role database. Assigning a role to the DEFAULT user means any user that does not exist on the system is assigned that role.

Assigning Roles to Groups

HP-UX RBAC also enables you to assign roles to UNIX groups. You can use the roleadm command options that use the user value, such as roleadm assign <user> role and roleadm revoke <user> role to administer groups and roles.

Assign, revoke, or list group and role information using the roleadm command by inserting an ampersand (&) at the beginning of the user value and enclosing the user value in quotations. The group name value and ampersand (&) must be shell escaped or enclosed in quotations to be interpreted by roleadm. For example:

# roleadm assign "&groupname" role

Step 2: Configuring Authorizations

Configuring authorizations is similar to creating and assigning roles. However, authorizations contain two elements: an operation and an object. The * wildcard—the most commonly used object—is the implicit object used if you do not specify an object while invoking the authadm command. In many cases, the object is purposely left unspecified, so that the operation applies to all objects. Leaving the object unspecified is often used for authorizations that apply to wrapped

Configuring HP-UX RBAC 37

Page 36 Page 38
Page 37
Image 37
HP UX 11i Role-based Access Control (RBAC) Software manual Configuring Authorizations, Assigning Roles to Users
Page 36 Page 38